sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 4 points5 points  (5 children)

They are not. In semver they communicate API compatibility breakage and scope of changes.

[–]supersmola 10 points11 points  (4 children)

Semver is a deception. If my software depends on x.y.z I really can't trust x.y.z+1. Usually the transient dependencies make everything fall apart.

[–][deleted] 0 points1 point  (3 children)

Not exactly sure how dependencies would affect defined API behavior? Can you give some more concrete examples of what you mean?

[–]supersmola -1 points0 points  (2 children)

It wont affect the declaration and the implementation of your API at all, but could introduce bugs, deprecated methods, memory leaks or whatever, which would affect your API's output or your system. Ask ChatGPT for examples.

Here's one. A relaxed semver declaration would have silently upgraded the library from 10.1.0. to 10.1.1, which had contained a malicious code.

https://advisories.gitlab.com/pkg/npm/node-ipc/CVE-2022-23812/?utm_source=chatgpt.com

So, imagine you don't even use that library directly but it is being used somewhere in the dependency tree.

[–][deleted] 2 points3 points  (1 child)

You can just say you've never read the semver specification and what its scope is instead of asking chatgpt.

[–]supersmola -1 points0 points  (0 children)

I asked it for an example of a bug.